by 安全扫描
OpenClaw
安全
high confidenceThe skill's instructions, requirements, and outputs are coherent with its stated purpose as an instruction-only code security review checklist; nothing requests unrelated credentials or installs arbitrary code.
评估建议
This instruction-only skill appears coherent and low-risk, but check these before installing: (1) provenance — the metadata shows 'RedHat Dev' inside files but the registry owner differs; verify the author/owner you trust. (2) Access scope — the skill expects a 'scope' (files/diff); ensure you only supply the code you want analyzed and that the agent does not have unintended filesystem or repo access. (3) Secrets handling — the SKILL.md says to redact secrets, but confirm how the agent/platform ...详细分析 ▾
✓ 用途与能力
The name/description describe reviewing code for secrets, auth, injection, dependencies and unsafe execution; the SKILL.md contains step-by-step checks that map directly to that purpose and does not request unrelated capabilities.
ℹ 指令范围
Instructions are focused on reviewing a supplied 'scope' (files/diff) and list concrete checks. They do not direct the agent to call external endpoints or read unrelated system files. However, the guidance is somewhat high-level (expects the agent to determine how to scan the scope) and therefore relies on the agent having access to the repository or code artifacts provided by the user; that operational requirement is implied but not declared.
✓ 安装机制
There is no install spec and no code files to execute; this is instruction-only, so nothing is written to disk or downloaded at install time.
ℹ 凭证需求
The skill declares no required environment variables or credentials, which is proportionate. Be aware that to perform real reviews the agent (or caller) must supply the code/diff; the skill does not request repo tokens but practical usage may require the environment that hosts the agent to already have access to the codebase — that access is external to the skill and should be controlled by you.
✓ 持久化与权限
always is false and the skill does not request persistent presence or modify other skills. Autonomous invocation is allowed (platform default) but there are no other elevated privileges requested.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/24
Initial release for axodus-security-checks. - Adds skill to perform structured security reviews focused on secrets exposure, auth/authz weaknesses, injection risks, dependency safety, and unsafe execution paths. - Accepts customizable input scopes, threat models, languages, and constraints. - Delivers a YAML-formatted, evidence-based findings report with severity and remediation. - Includes strict rules for secret handling and escalation on sensitive changes. - Intended for use before deployment or after significant security-relevant changes.
● 无害
安装命令
点击复制官方npx clawhub@latest install axodus-security-checks
镜像加速npx clawhub@latest install axodus-security-checks --registry https://cn.longxiaskill.com